Detecting fraud rings in mobile communications networks

ABSTRACT

An example method performed by a processing system obtaining a first port-in number for a first mobile device from a first mobile communications service provider, wherein the first port-in number is known to be involved in fraudulent activity, constructing a social graph of communications between the first port-in number and a plurality of other numbers associated with a plurality of other communications devices, identifying, by the processing system, a maximal subgraph of the social graph, wherein the maximal subgraph connects the first port-in number and a subset of the plurality of other numbers that includes those of the plurality of other numbers for which a usage metric is below a predefined threshold for a defined period of time prior to the first port-in number being ported into the first mobile communications service provider, and identifying, by the processing system, a potential fraud ring, based on the maximal subgraph.

This application is a continuation of U.S. patent application Ser. No.16/870,871, filed May 8, 2020, now U.S. Pat. No. 11,477,651, which isherein incorporated by reference in its entirety.

The present disclosure relates generally to fraud detection, and relatesmore particularly to devices, non-transitory computer-readable media,and methods for detecting fraud rings in mobile communications networks.

BACKGROUND

Fraud costs consumers billions of dollars each year, collectively.Moreover, an individual victim of fraud may spend much time trying torepair the non-financial damage of the fraud, such as replacingcredentials and equipment, resetting access to accounts, and the like.For instance, a perpetrator of fraud may gain access to the accountpassword of a mobile phone service subscriber, and may use the passwordto add himself to the account, to purchase a mobile phone, and/or tomake other changes to the account settings. Similar methods may be usedto fraudulently obtain other types of goods and services, such as creditcards, Internet service, and the like.

BRIEF DESCRIPTION OF THE DRAWINGS

The teachings of the present disclosure can be readily understood byconsidering the following detailed description in conjunction with theaccompanying drawings, in which:

FIG. 1 illustrates an example network related to the present disclosure;

FIG. 2 illustrates a flowchart of an example method for automaticallydetecting fraud rings in mobile communications networks, in accordancewith the present disclosure;

FIG. 3A illustrates an example social graph that may be constructedaccording to the method of FIG. 2 , using the information contained inTable 1;

FIG. 3B illustrates the example social graph of FIG. 3A that has beenexpanded by one hop using the information contained in Table 1;

FIG. 3C illustrates the example social graph of FIG. 3A that has beenexpanded by two hops using the information contained in Table 1;

FIG. 3D illustrates an example maximal subgraph that may be extractedfrom the example expanded social graph of FIG. 3C; and

FIG. 4 illustrates a high-level block diagram of a computing devicespecifically programmed to perform the steps, functions, blocks and/oroperations described herein.

To facilitate understanding, identical reference numerals have beenused, where possible, to designate identical elements that are common tothe figures.

DETAILED DESCRIPTION

In one example, the present disclosure describes a device,computer-readable medium, and method for automatically detecting fraudrings in mobile communications networks. For instance, in one example, amethod performed by a processing system including at least one processorincludes obtaining a first port-in number for a first mobile device froma first mobile communications service provider, wherein the firstport-in number is known to be involved in fraudulent activity,constructing a social graph of communications between the first port-innumber and a plurality of other numbers associated with a plurality ofother communications devices, identifying, by the processing system, amaximal subgraph of the social graph, wherein the maximal subgraphconnects the first port-in number and a subset of the plurality of othernumbers that includes those of the plurality of other numbers for whicha usage metric is below a predefined threshold for a defined period oftime prior to the first port-in number being ported into the firstmobile communications service provider, and identifying, by theprocessing system, a potential fraud ring, based on the maximalsubgraph.

In another example, a device includes a processing system including atleast one processor and a computer-readable medium storing instructionswhich, when executed by the processing system, cause the processingsystem to perform operations. The operations include obtaining a firstport-in number for a first mobile device from a first mobilecommunications service provider, wherein the first port-in number isknown to be involved in fraudulent activity, constructing a social graphof communications between the first port-in number and a plurality ofother numbers associated with a plurality of other communicationsdevices, identifying, by the processing system, a maximal subgraph ofthe social graph, wherein the maximal subgraph connects the firstport-in number and a subset of the plurality of other numbers thatincludes those of the plurality of other numbers for which a usagemetric is below a predefined threshold for a defined period of timeprior to the first port-in number being ported into the first mobilecommunications service provider, and identifying, by the processingsystem, a potential fraud ring, based on the maximal subgraph.

In another example, a non-transitory computer-readable medium storesinstructions which, when executed by a processing system including atleast one processor, cause the processing system to perform operations.The operations include obtaining a first port-in number for a firstmobile device from a first mobile communications service provider,wherein the first port-in number is known to be involved in fraudulentactivity, constructing a social graph of communications between thefirst port-in number and a plurality of other numbers associated with aplurality of other communications devices, identifying, by theprocessing system, a maximal subgraph of the social graph, wherein themaximal subgraph connects the first port-in number and a subset of theplurality of other numbers that includes those of the plurality of othernumbers for which a usage metric is below a predefined threshold for adefined period of time prior to the first port-in number being portedinto the first mobile communications service provider, and identifying,by the processing system, a potential fraud ring, based on the maximalsubgraph.

As discussed above, fraud costs consumers billions of dollars each year,collectively. Moreover, an individual victim of fraud may spend muchtime trying to repair the non-financial damage of the fraud, such asreplacing credentials and equipment, resetting access to accounts, andthe like. For instance, a perpetrator of fraud may gain access to theaccount password of a mobile phone service subscriber, and may use thepassword to add himself to the account, to purchase a mobile phone,and/or to make other changes to the account settings. Similar methodsmay be used to fraudulently obtain other types of goods and services,such as credit cards, Internet service, and the like.

Often, the perpetrators of fraud do not work alone, but work together asa team or a “ring.” Working together, a fraud ring can inflict muchgreater losses on its victims than an individual perpetrator workingalone. Some fraud rings have developed fairly sophisticated systems forperpetrating fraud. Thus, where a fraud ring is involved, it may not beenough to identify simply one perpetrator; if the other perpetrators arenot also identified and stopped, the fraud may continue.

Examples of the present disclosure use social graphs to detect theexistence of, and membership in, fraud rings in mobile communicationsnetworks. In one example, high risk port-in numbers and/or numbers thatare considered to be high risk based on other information (e.g., port-innumbers that are known to be involved in fraudulent activity) are usedas seeds to build a social graph. Within the context of the presentdisclosure, a “port-in number” is understood to be a mobile phone numberthat a mobile phone service subscriber transfers from a first mobilecommunications service provider to a second, subsequent mobilecommunications service provider. In other words, a port-in number is amobile phone number that a subscriber may take with him even when hechanges mobile communications service providers. Furthermore, within thecontext of the present disclosure, a “social graph” is understood to bea graphical representation of the social connections between mobilephone service subscribers, where nodes represent the subscribers, andlinks between nodes represent the social connections (e.g., callingrelationships) between the subscribers represented by the nodes.

In one example, a high-risk port-in number is a number that is known tobe involved in fraudulent activity. In another example, a high-risknumber is a number that is suspected to be involved in fraudulentactivity (but is not known, for a fact, to be involved in fraudulentactivity). In one example, a number that is suspected to be involved infraudulent activity may be identified based on a usage metric for thenumber falling below a predefined threshold for a defined period of timeprior to port-in. It has been observed that for port-in numbers, for aperiod of time prior to the actual port-in (e.g., between thirty andninety days prior to port-in), the usage of phone numbers associatedwith fraud tends to be significantly lower than the usage of phonenumbers not associated with fraud. In other words, if a port-in numberis associated with fraud, the usage of the port-in number may beexpected to be relatively low for the thirty to ninety days prior toport-in.

In one example, by building a social graph around a high risk port-innumber and extending the social graph to a certain number of hops (e.g.,at least three hops in some examples), subgraphs that connectsubscribers who have previously been identified as high risk (e.g.,likely to be involved in fraudulent activities or known to have actuallybeen involved in fraudulent activities, based on a usage metric beingbelow a predefined threshold for a defined period of time prior toport-in of the seed number) can be extracted. These subgraphs may beuseful in identifying individuals who are working together as members offraud rings.

Thus, examples of the present disclosure may be especially useful indetecting the sales of new and/or added mobile phone lines to anexisting or newly established mobile phone account, where a port-innumber is specified. In such a case, the ported-in numbers may notnecessarily be (and usually are not) accounts that are assigned by thecurrent mobile communications service provider (i.e., the serviceprovider to which the numbers are ported). The detected information maybe used to protect the accounts and information of legitimate mobilephone service subscribers and/or to alert authorities to the existenceand identities of potential fraud rings. Examples of the presentdisclosure may also be useful in creating a blacklist (or at leastspecifying an elevated level of risk) for certain port-in numbers.However, it should be understood that examples of the present disclosuremay be extended to detect fraud rings in industries other than mobilecommunications as well; thus, the present disclosure is not limited tothe example context described herein. Moreover, it is noted thatexamples of the present disclosure are able to identify instances offraud and fraud rings without knowing the actual content of anytelecommunications transactions exchanged between members of the fraudring. In other words, the privacy of the subscribers can be preserved.

To further aid in understanding the present disclosure, FIG. 1illustrates an example system 100 in which examples of the presentdisclosure may operate. The system 100 may include any one or more typesof communication networks, such as a traditional circuit switchednetwork (e.g., a public switched telephone network (PSTN)) or a packetnetwork such as an Internet Protocol (IP) network (e.g., an IPMultimedia Subsystem (IMS) network), an asynchronous transfer mode (ATM)network, a wireless network, a cellular network (e.g., 2G, 3G, and thelike), a long term evolution (LTE) network, 5G and the like related tothe current disclosure. It should be noted that an IP network is broadlydefined as a network that uses Internet Protocol to exchange datapackets. Additional example IP networks include Voice over IP (VoIP)networks, Service over IP (SoIP) networks, and the like.

In one example, the system 100 may comprise a network 102, e.g., atelecommunications service provider network, a core network, or anenterprise network comprising infrastructure for computing andcommunications services of a business, an educational institution, agovernmental service, or other enterprises. The network 102 may be incommunication with one or more access networks 110 and 112, and theInternet (not shown). In one example, network 102 may combine corenetwork components of a cellular network with components of a tripleplay service network; where triple-play services include telephoneservices (e.g., wired and/or wireless telephone services), Internet ordata services, and television services to subscribers. For example,network 102 may functionally comprise a fixed mobile convergence (FMC)network, e.g., an IP Multimedia Subsystem (IMS) network. In addition,network 102 may functionally comprise a telephony network, e.g., anInternet Protocol/Multi-Protocol Label Switching (IP/MPLS) backbonenetwork utilizing Session Initiation Protocol (SIP) for circuit-switchedand Voice over internet Protocol (VoIP) telephony services. Network 102may further comprise a broadcast television network, e.g., a traditionalcable provider network or an internet Protocol Television (IPTV)network, as well as an Internet Service Provider (ISP) network. In oneexample, network 102 may include a plurality of television (TV) servers(e.g., a broadcast server, a cable head-end), a plurality of contentservers, an advertising server (AS), an interactive TV/video on demand(VoD) server, and so forth.

In one example, the access networks 110 and 112 may comprise broadbandoptical and/or cable access networks, Local Area Networks (LANs),wireless access networks (e.g., an IEEE 802.11/Wi-Fi network and thelike), cellular access networks, Digital Subscriber Line (DSL) networks,public switched telephone network (PSTN) access networks, 3^(rd) partynetworks, and the like. For example, the operator of network 102 mayprovide a cable television service, an IPTV service, or any other typesof telecommunication service to subscribers via access networks 110 and112. In one example, the access networks 110 and 112 may comprisedifferent types of access networks, may comprise the same type of accessnetwork, or some access networks may be the same type of access networkand other may be different types of access networks. In one example, thenetwork 102 may be operated by a telecommunications network serviceprovider. The network 102 and the access networks 110 and 112 may beoperated by different service providers, the same service provider or acombination thereof, or may be operated by entities having corebusinesses that are not related to telecommunications services, e.g.,corporate, governmental or educational institution LANs, and the like.

In one example, the access network 110 may be in communication with oneor more user endpoint devices (also referred to as “endpoint devices” or“UEs”) 114 ₁-114 _(n) (hereinafter individually referred to as a “UE114” or collectively referred to as “UEs 114”), while the access network112 may be in communication with one or more user endpoint devices 116₁-116 _(m) (hereinafter individually referred to as a “UE 116” orcollectively referred to as “UEs 116”). Access networks 110 and 112 maytransmit and receive communications between respective UEs 114 and 116and core network 102 relating to communications with web servers, AS104, and/or other servers via the Internet and/or other networks, and soforth.

In one embodiment, the user endpoint devices 114 and 116 may be any typeof subscriber/customer endpoint device configured for wirelesscommunication such as a laptop computer, a Wi-Fi device, a PersonalDigital Assistant (PDA), a mobile phone, a smartphone, an email device,a computing tablet, a messaging device, a wearable “smart” device (e.g.,a smart watch or fitness tracker), a portable media device (e.g., an MP3player), a gaming console, a portable gaming device, a set top box, asmart television, and the like. In one example, any one or more of theuser endpoint devices 114 and 116 may have both cellular andnon-cellular access capabilities and may further have wiredcommunication and networking capabilities (e.g., such as a desktopcomputer). In one example, at least some of the UEs 114 and 116 arereachable using unique subscriber numbers (e.g., phone numbers). Itshould be noted that although only four user endpoint devices areillustrated in FIG. 1 , any number of user endpoint devices may bedeployed.

In accordance with the present disclosure, network 102 may include anapplication server (AS) 104, which may comprise a computing system orserver, such as computing system 400 depicted in FIG. 4 , and may beconfigured to provide one or more operations or functions in connectionwith examples of the present disclosure for automatically detectingfraud rings in mobile communications networks. The network 102 may alsoinclude a database (DB) 106 that is communicatively coupled to the AS104.

It should be noted that as used herein, the terms “configure,” and“reconfigure” may refer to programming or loading a processing systemwith computer-readable/computer-executable instructions, code, and/orprograms, e.g., in a distributed or non-distributed memory, which whenexecuted by a processor, or processors, of the processing system withina same device or within distributed devices, may cause the processingsystem to perform various functions. Such terms may also encompassproviding variables, data values, tables, objects, or other datastructures or the like which may cause a processing system executingcomputer-readable instructions, code, and/or programs to functiondifferently depending upon the values of the variables or other datastructures that are provided. As referred to herein a “processingsystem” may comprise a computing device including one or moreprocessors, or cores (e.g., as illustrated in FIG. 4 and discussedbelow) or multiple computing devices collectively configured to performvarious steps, functions, and/or operations in accordance with thepresent disclosure. Thus, although a single application server (AS) 104and a single database (DB) are illustrated, it should be noted that anynumber of servers may be deployed, and which may operate in adistributed and/or coordinated manner as a processing system to performoperations in connection with the present disclosure.

In one example, AS 104 may comprise a plurality of applications or dataprocessing modules that perform various operations on data stored in theDB 106 and/or on other data. For instance, the AS 104 may host anapplication that constructs social graphs based on the call data records(CDRs) of mobile phone service subscribers. The application (or anotherapplication hosted on the AS 104) may also extract, from the socialgraphs, subgraphs that may be indicative of the presence of fraud ringsin a communications network. The application (or another applicationhosted on the AS 104) may also include a notification function to alerta service provider and/or the authorities to the presence (and,additionally to the identities of the members) of fraud rings.

In one example, the DB 106 may store CDRs for mobile communicationsservice providers, and/or for providers of another service that isprovided at least in part via a communications network. Each CDR that isstored in the DB 106 may contain information (but not the content)associated with one telecommunication transaction (e.g., phone call ortext message) that traversed the system 100. For instance, each CDR mayinclude, for a corresponding telecommunication transaction, one or moreof the following pieces of information: the phone number associated withthe calling party, the phone number associated with the called party,the starting time (e.g., date and time) of the transaction, the durationof the transaction, the phone number that is billed for the transaction,the telephone exchange or equipment writing the CDR, a unique sequencenumber of the CDR, call type (e.g., voice, short messaging service, orthe like), and/or other information.

In a further example, the DB 106 may store social graphs that areconstructed by the AS 104 from the CDRs. The social graphs, which arediscussed in greater detail below, may illustrate the relationshipsbetween different phone numbers that have received and/or originatedcalls within the system 100.

For ease of illustration, various additional elements of network 102 areomitted from FIG. 1 .

It should also be noted that the system 100 has been simplified. Thus,it should be noted that the system 100 may be implemented in a differentform than that which is illustrated in FIG. 1 , or may be expanded byincluding additional endpoint devices, access networks, networkelements, application servers, etc. without altering the scope of thepresent disclosure. In addition, system 100 may be altered to omitvarious elements, substitute elements for devices that perform the sameor similar functions, combine elements that are illustrated as separatedevices, and/or implement network elements as functions that are spreadacross several devices that operate collectively as the respectivenetwork elements. For example, the system 100 may include other networkelements (not shown) such as border elements, routers, switches, policyservers, security devices, gateways, a content distribution network(CDN) and the like. For example, portions of network 102, accessnetworks 110 and 112, and/or Internet may comprise a contentdistribution network (CDN) having ingest servers, edge servers, and thelike for packet-based streaming of video, audio, or other content.Similarly, although only two access networks, 110 and 112 are shown, inother examples, access networks 110 and/or 112 may each comprise aplurality of different access networks that may interface with network102 independently or in a chained manner. Thus, these and othermodifications are all contemplated within the scope of the presentdisclosure.

FIG. 2 illustrates a flowchart of an example method 200 forautomatically detecting fraud rings in mobile communications networks,in accordance with the present disclosure. In one example, the method200 is performed by a component of the system 100 of FIG. 1 , such as bythe AS 104, and/or any one or more components thereof (e.g., aprocessor, or processors, performing operations stored in and loadedfrom a memory), or by the AS 104 in conjunction with one or more otherdevices. In another example, the steps, functions, or operations ofmethod 200 may be performed by a computing device or system 400, and/orprocessor 402 as described in connection with FIG. 4 below. Forinstance, the computing device or system 400 may represent any one ormore components of the system 100 of FIG. 1 that is/are configured toperform the steps, functions and/or operations of the method 200.Similarly, in one example, the steps, functions, or operations of method200 may be performed by a processing system comprising one or morecomputing devices collectively configured to perform various steps,functions, and/or operations of the method 200. For instance, multipleinstances of the computing device or processing system 400 maycollectively function as a processing system. For illustrative purposes,the method 200 is described in greater detail below in connection withan example performed by a processing system.

The method 200 begins in step 202 and may proceed to step 204. In step204, the processing system may obtain a first port-in number for a firstmobile device from a first mobile communications service provider,wherein the first port-in number is known to be involved in fraudulentactivity. For instance, the first mobile device may comprise a mobilephone, and the phone number for the first mobile phone may be a numberthat is being transferred from a second mobile communications serviceprovider to the first mobile communications service provider. The phonenumber for the first mobile device may be a blacklisted number based ona previous fraudulent activity in which the first mobile device wasknown to be involved. Alternatively, a second mobile communicationsservice provider from which the phone number for the first mobile deviceis ported may inform the first mobile communications service providerthat the first mobile device was involved in the fraudulent activity.

In step 206, the processing system may construct a social graph ofcommunications between the first port-in number and a plurality of othernumbers associated with a plurality of other communications devices(e.g., other mobile devices including mobile phones, landline phones,and other devices). Thus, the first port-in number may comprise a seedfor the social graph. In one example, the other communications devicesmay comprise communications devices with which the first port-in numberhas exchanged communications within the defined period of time prior toport-in.

In one example, the social graph comprises a plurality of nodesconnected by a plurality of edges. In this case, each node representseither the first port-in number or one of the plurality of other numbersassociated with the plurality of other communications devices, and eachedge represents the social connection between the first port-in numberand one of the plurality of other numbers (i.e., the occurrence of atelecommunication transaction between the first port-in number and theone of the plurality of other numbers). Thus, in one example, each edgeconnects the first port-in number to one of the plurality of othernumbers. In one example, the edges may be directed to show which numberoriginated the communication(s) and which number received thecommunication(s). For instance, an arrowhead on an edge may point to thenode associated with the number that received the communication(s).

In one example, the edges may also be weighted by the strength of thesocial connection. The strength of the social connection may be based onthe usage metrics, discussed above (e.g., based on a number oftelecommunications transactions between the connected nodes). Forinstance, the weight of an edge may be proportional to the number ofcalls between, the durations of calls between, and/or the number of textmessages between the first port-in number and the one of the pluralityof other numbers to which the edge connects the first port-in number(where, again, the usage metric may be analyzed over the defined periodof time). Thus, if the first port-in number exchanged twenty calls witha first number of the plurality of other numbers over the defined timeperiod and three calls with a second number of the plurality of othernumbers over the defined time period, then the weight of the edgeconnecting the first port-in number to the first number may be greaterthan the weight of the edge connecting the first port-in number to thesecond number. However, it should be noted that the usage metrics arenot limited to measures of counts or durations. For instance, the usagemetrics may also include a volume of data (e.g., number of bytes)transferred between numbers (e.g., the first port-in number and thefirst number).

As an example, Table 1, below, illustrates a set of example phonenumbers that may be associated with various mobile communicationsservice providers.

TABLE 1 Example set of phone numbers Node Label Phone Number ServiceProvider Fraudulent? A (aaa) aaa-aaaa Service Provider 2 Yes B (bbb)bbb-bbbb Service Provider 2 C (ccc) ccc-cccc Service Provider 1 D (ddd)ddd-dddd Service Provider 1 Yes E (eee) eee-eeee Service Provider 1 F(fff) fff-ffff Service Provider 3 G (ggg) ggg-gggg Service Provider 4Yes H (hhh) hhh-hhhh Service Provider 1 Yes I (iii) iii-iiii ServiceProvider 1 J (jjj) jjj-jjjj Service Provider 1 Yes K (kkk) kkk-kkkk N/AN/AIn Table 1, the “node label” field indicates the label of a node in asocial graph (e.g., the example social graphs of FIGS. 3A-C, discussedin further detail below). The “phone number” field indicates the phonenumber of the mobile device indicated by the associated node label. The“service provider” field indicates the mobile communications serviceprovider that provides service to the mobile device (where ServiceProvider 1 may be the first mobile communications service provider). The“fraudulent” field indicates whether the mobile device is assumed orknown to have been used in connection with fraud. For instance, thefraudulent field may indicate “yes” where the phone number is a seedport-in number (e.g., the first port-in number). In some cases,information about the carrier or fraudulent use may be unavailable(N/A).

FIG. 3A illustrates an example social graph 300 that may be constructedaccording to the method 200 of FIG. 2 , using the information containedin Table 1. In one example, the node labeled “A” is the seed number,e.g., the first port-in number. A subsequent search for inbound andoutbound communications in which the node labeled “A” was either thecalling or called party may show that, within the defined period of timeprior to port-in, the devices associated with the node labels “C” and“D” exchanged communications with the device associated with the seednumber.

Thus, the example social graph 300 may comprise three nodes 3021-3023(hereinafter individually referred to as a “node 302” or collectivelyreferred to as “nodes 302”), labeled A, C, and D. In this case, based onthe information in Table 1, nodes 3021 and 3023 (labelled A and D)correspond to either seed numbers or to numbers known to be associatedwith communication devices that have been used in connection withfraudulent activity (or both). In one example, the nodes 302 of thesocial graph 300 may include some unique visual indication todifferentiate which nodes 302 are known to be associated withcommunication devices that have been used in connection with fraudulentactivity. In the example of FIG. 3A, for instance, the nodes 3021 and3023 include rings around the nodes. Although not shown in FIG. 3A, thesocial graph may also include some visual indication to shown whichmobile communications service providers are associated with which nodes302. For instance, if the social graph 300 is a color graph, the nodes302 may be color coded based on mobile communications service provider(e.g., all nodes 302 corresponding to communications devices that areserved by the same mobile communications service provider may be thesame color).

As also shown, the example social graph 300 of FIG. 3A includesdirected, weighted edges 3041-3043 (hereinafter individually referred toas an “edge 304” or collectively referred to as “edge 304”). The edge3041 indicates that at least one telecommunications transactionoriginated at the node 3022 and was received by the node 3021; the edge3042 indicates that at least one telecommunications transactionoriginated at the node 3021 and was received by the node 3022; and theedge 3043 indicates that at least one telecommunications transactionoriginated at the node 3021 and was received by the node 3023. Moreover,each edge 304 is assigned a respective weight: the edge 3041 is assigneda weight w1; the edge 3042 is assigned a weight w2; and the edge 3043 isassigned a weight w3.

As illustrated in FIG. 3A, in one example, the social graph is a one-hopnetwork, i.e., a network in which a communication travels from a sourceto a destination in one hop (or through one edge). Put another way, thesocial graph may be constructed using only communications that arerelated directly to the first port-in number (i.e., communications onwhich the first port-in number was the calling number or the callednumber). Based on this one-hop network, one can conclude that there is ahigh likelihood that the communications devices associated with thenodes 3021 and 3023 are being manipulated by the same person or arebeing manipulated by different people who are members of the same fraudring. There is also a possibility that the communications devicesassociated with the nodes 3021 and 3023 are being manipulated bydifferent people who are engaged in fraud and who know each other, butwho are not necessarily working together as part of a fraud ring.However, in further examples of the method 200, the processing systemmay perform further steps to differentiate between perpetrators of fraudwho have communicated with each other but are working independently, andperpetrators of fraud who have communicated with each other because theyare working together.

For instance, referring back to FIG. 2 , in optional step 208(illustrated in phantom), the processing system may recursively expandthe reach of social graph 300 that was constructed in step 206, toconstruct an expanded social graph 300. In one example, the reach of thesocial graph 300 is expanded by at least one hop. A one-hop network asillustrated in FIG. 3A provides a limited view of the activity of a seedphone number, and this is even more true when the seed phone number isnot served by the first mobile communications service provider on whosebehalf the social graph 300 may be constructed. For instance, the firstmobile communications service provider may not be able to determine,based on a one-hop network, whether the seed phone number was involvedin a telecommunications transaction with any phone numbers associatedwith devices that are not customers of the first mobile communicationsservice provider. However, expanding the social graph by even one hopmay increase the amount of useful information that is visible.

To expand the social graph by one hop, the processing system may addnodes 302 and edges 304 for any phone numbers that directly exchangedtelecommunications transactions with the existing nodes, i.e., the nodes3021-3023. FIG. 3B, for instance, illustrates the example social graph300 of FIG. 3A that has been expanded by one hop using the informationcontained in Table 1.

As illustrated, the example expanded social graph 300 has added thenodes 3024-3028 (labelled as B, E, F, G, and K) and the edges3044-30412. One of the nodes, i.e., node 3027, is visually indicated ashigh risk according to the scheme described above (and according to theinformation in Table 1). The edge weights of FIG. 3A have been omittedfor simplicity.

Based on the example expanded social graph 300, it is still unclearwhether any telecommunications transactions occurred between the seedphone number represented by node 3021 (A) and the phone numberrepresented by node 3024 (B), as indicated by the dashed lines of theedges 3044 and 3045. This is because neither of the phone numbers isserved by the first mobile communications service provider (i.e.,Service Provider 1). However, it can now be seen that nodes 3022 and3023 (C and D) have not exchanged any telecommunications transactions(at least during the time period covered by Table 1), since at least oneof these nodes (both C and D in this example) are served by the firstmobile communications service provider.

FIG. 3C illustrates the example social graph 300 of FIG. 3A that hasbeen expanded by two hops (i.e., one hop more than illustrated in FIG.3B) using the information contained in Table 1. To expand the exampleexpanded social graph 300 by one more hop, the processing system may addnodes 302 and edges 304 for any phone numbers that exchangedtelecommunications transactions with the existing nodes, i.e., the nodes3021-3028. As illustrated, the example expanded social graph 300 hasadded the nodes 3029-30211 (labelled H, I, and J) and the edges30413-30418. Two of the nodes, i.e., nodes 3029 and 30210, are visuallyindicated as high risk according to the scheme described above (andaccording to the information in Table 1). The edge weights of FIG. 3Ahave been omitted for simplicity.

Thus, step 206 may add a first subset of nodes to the social graph,while step 208 may add additional (e.g., second and subsequent, asdiscussed below) subsets of nodes to the social graph.

Based on the example expanded social graph 300, it is still unclearwhether any telecommunications transactions occurred between the seedphone number represented by node 3021 (A) and the phone numberrepresented by node 3024 (B), as indicated by the dashed lines of theedges 3044 and 3045. This is because, as discussed above, neither of thephone numbers is served by the first mobile communications serviceprovider (i.e., Service Provider 1). However, it can still be seen thatnodes 3022 and 3023 (C and D) have not exchanged any telecommunicationstransactions (at least during the time period covered by Table 1), sinceat least one of these nodes (both C and D in this example) are served bythe first mobile communications service provider.

Moreover, additional relationships can be discerned. For instance, thedegree of node 3027 (G), i.e., the number of incoming and outgoing edges(six, in the illustrated example), suggests that the node 3027 may beconsidered an “influencer.”

The example expanded social graph 300 may be further expanded in asimilar manner by any number of hops. However, the greater the number ofhops encompassed by the social graph, the less meaningful therelationships that can be discerned may tend to be. For instance, at acertain number of hops, almost any pair of nodes may be connected toeach other somehow, even if the connection is tenuous. Moreover,individual social graphs may become conjoined due to indirect ties.Thus, the choice of how many hops by which to expand the social graphmay balance the desire to discover larger fraud rings versus the need toavoid inadvertently connecting unrelated rings due to indirect ties.

Referring back to FIG. 2 , in step 210, the processing system mayidentify a maximal subgraph of the social graph (which may or may nothave been expanded by one or more hops according to step 208), where themaximal subgraph connects the first port-in number and a subset of theplurality of other numbers that includes those of the other numbers forwhich a usage metric is below a predefined threshold for a definedperiod of time prior to the first port-in number being ported into thefirst mobile communications service provider (i.e., identified as beinglikely connected to fraud).

In one example, the usage metric may be at least one of: number of calls(incoming and outgoing) involving the number, durations (e.g., averageand/or total) of incoming and outgoing calls involving the number, andnumber of text messages (incoming and outgoing) involving the number. Inone example, the usage metric may be a single one of these metrics. Inanother example, the usage metric may be an aggregation of thesemetrics. For instance, the different metrics may be weighted (e.g., thenumber of calls may be multiplied by a first weight, the durations ofthe calls may be multiplied by a second weight, and the number of textmessages may be multiplied by a third weight), and the weighted metricsmay be summed together (e.g., to compute a weighted sum).

As discussed above, it has been observed that, especially for port-innumbers, for a period of time prior to the actual port-in, the usage ofphone numbers associated with fraud tends to be significantly lower thanthe usage of phone numbers not associated with fraud. In other words, ifa port-in number is associated with fraud, the usage of the port-innumber may be relatively low for the period of time prior to port-in.Thus, at least some of the other numbers in the subset may also beport-in numbers. In one example, the defined period of time over whichthe usage metrics are analyzed is between thirty and ninety days priorto port-in.

FIG. 3D illustrates an example maximal subgraph 306 that may beextracted from the example expanded social graph 300 of FIG. 3C. Asillustrated, the example maximal subgraph 306 connects all of the highrisk nodes 3021, 3023, 3027, 3029, and 30210 (A, D, G, J, and H) in theexample expanded social graph 300 (as well as the edges connecting thesehigh risk nodes) and omits the remaining nodes 302 (and edges 304).Thus, the maximal subgraph comprises a small network of interconnectednodes, where all of the nodes in the maximal subgraph share the propertyof being high risk (e.g., likely connected to fraud).

In step 212, the processing system may identify a potential fraud ring,based on the maximal subgraph. In one example, the entirety of themaximal subgraph may represent the potential fraud ring. That is, all ofthe nodes that are connected by the maximal subgraph may be consideredpotential participants in a common fraud ring. In another example, aportion of the maximal subgraph (e.g., a subset of the nodes in themaximal subgraph) may be considered potential participants in a fraudring. For instance, the minimum threshold may be imposed on the weightsof the edges connecting the nodes of the maximal subgraph, and a nodemay be considered a potential participant in the fraud ring only if theweight of the edge connecting the node to another node in the fraud ringat least meets the minimum threshold. Optionally, the processing systemmay also identify in step 212 a possible leader or coordinator of thepotential fraud ring, based on the maximal subgraph. For instance, asdiscussed in connection with the example maximal subgraph 306 of FIG.3D, the node of the maximal subgraph having the highest degree (e.g.,the most connections to other nodes in the maximal subgraph) may beconsidered the leader or influencer of the potential fraud ring.

In one example, the potential fraud ring identified in step 212 may beexpanded to consider nodes that are outside of the maximal subgraph. Forinstance, in one example, a node in the expanded social graph that isnot indicated as high risk may be added to the potential fraud ring ifthe usage pattern of the node is similar to the usage pattern used todefine high risk port-in numbers (e.g., a usage metric for the phonenumber associated with the node is below a predefined threshold for adefined period of time prior to the port-in of the first port-innumber). Any nodes meeting the usage pattern criteria that are alsoserved by the first mobile communications service provider may have aneven higher confidence of being connected to the potential fraud ring,since the first mobile communications service provider will have greatervisibility into the activities of these nodes.

The method 200 may end in step 214.

It should be noted that the method 200 may be run simultaneously for aplurality of seed numbers (e.g., port-in numbers that are known to befraudulent). In this case, the method 200 will generate a plurality ofmaximal subgraphs (e.g., as described in step 210), where the pluralityof subgraphs will not necessarily be related. The plurality of subgraphsmay represent a plurality of potential fraud rings (which, again, arenot necessarily related). Thus, the method 200 may be run wholesale fora plurality of seed numbers in practice, as opposed to being run for oneseed number at a time.

Once the processing system has identified a potential fraud ring, thereare a number of further actions that the processing system may take. Forinstance, in one example, the processing system may temporarily suspendservice to any members (e.g., devices or phone numbers) of the potentialfraud ring who are served by the first mobile communications serviceprovider. The suspension of service may include, for example, blockingcalls and text messages (incoming and/or outgoing). Calls and textmessages may be blocked to all non-emergency numbers (e.g., all numbersexcept for 911), to all other numbers that are identified as members ofthe potential fraud ring, or to other groups of numbers. Temporarysuspension of service may allow individuals whose numbers have beenincorrectly identified as members of a potential fraud ring to restoreservice upon completing some sort of verification process.

In a further example, the processing system may also notify the mobilecommunications service providers who serve the other members of thepotential fraud ring (i.e., the members not served by the first mobilecommunications service provider) of the numbers associated with thoseother members. The mobile communications service providers may similarlyelect to suspend service to these other members. In some cases, thephone numbers associated with the potential fraud ring may also beprovided to law enforcement agencies.

Furthermore, although the method 200 discussed using a port-in number asthe seed for the social graph, in other examples, any high risk number(e.g., a phone number that has already been identified as potentiallyconnected to fraud or is known to actually be connected to fraud, or aphone number for which a usage metric is below a predefined thresholdfor a defined period of time) may be used as the seed.

It should be noted that the method 200 may be expanded to includeadditional steps, or may be modified to replace steps with differentsteps, to combine steps, to omit steps, to perform steps in a differentorder, and so forth. For instance, in one example the processor mayrepeat one or more steps of the method 200, such as steps 208-210. Inanother example, the method 200 may include storing one or more digitalobjects, e.g., in a database or at the edge server. Thus, these andother modifications are all contemplated within the scope of the presentdisclosure.

In addition, although not expressly specified above, one or more stepsof the method 200 may include a storing, displaying and/or outputtingstep as required for a particular application. In other words, any data,records, fields, and/or intermediate results discussed in the method canbe stored, displayed and/or outputted to another device as required fora particular application. Furthermore, operations, steps, or blocks inFIG. 2 that recite a determining operation or involve a decision do notnecessarily require that both branches of the determining operation bepracticed. In other words, one of the branches of the determiningoperation can be deemed as an optional step. Furthermore, operations,steps or blocks of the above described method(s) can be combined,separated, and/or performed in a different order from that describedabove, without departing from the example embodiments of the presentdisclosure.

FIG. 4 depicts a high-level block diagram of a computing device orprocessing system specifically programmed to perform the functionsdescribed herein. For example, any one or more components or devicesillustrated in FIG. 1 , or described in connection with the method 200,may be implemented as the processing system 400. As depicted in FIG. 4 ,the processing system 400 comprises one or more hardware processorelements 402 (e.g., a microprocessor, a central processing unit (CPU)and the like), a memory 404, (e.g., random access memory (RAM), readonly memory (ROM), a disk drive, an optical drive, a magnetic drive,and/or a Universal Serial Bus (USB) drive), a module 405 forautomatically detecting fraud rings in mobile communications networks,and various input/output devices 406, e.g., a camera, a video camera,storage devices, including but not limited to, a tape drive, a floppydrive, a hard disk drive or a compact disk drive, a receiver, atransmitter, a speaker, a display, a speech synthesizer, an output port,and a user input device (such as a keyboard, a keypad, a mouse, and thelike).

Although only one processor element is shown, it should be noted thatthe computing device may employ a plurality of processor elements.Furthermore, although only one computing device is shown in the Figure,if the method(s) as discussed above is implemented in a distributed orparallel manner for a particular illustrative example, i.e., the stepsof the above method(s) or the entire method(s) are implemented acrossmultiple or parallel computing devices, e.g., a processing system, thenthe computing device of this Figure is intended to represent each ofthose multiple general-purpose computers. Furthermore, one or morehardware processors can be utilized in supporting a virtualized orshared computing environment. The virtualized computing environment maysupport one or more virtual machines representing computers, servers, orother computing devices. In such virtualized virtual machines, hardwarecomponents such as hardware processors and computer-readable storagedevices may be virtualized or logically represented. The hardwareprocessor 402 can also be configured or programmed to cause otherdevices to perform one or more operations as discussed above. In otherwords, the hardware processor 402 may serve the function of a centralcontroller directing other devices to perform the one or more operationsas discussed above.

It should be noted that the present disclosure can be implemented insoftware and/or in a combination of software and hardware, e.g., usingapplication specific integrated circuits (ASIC), a programmable logicarray (PLA), including a field-programmable gate array (FPGA), agraphics processing unit (GPU), or a state machine deployed on ahardware device, a computing device, or any other hardware equivalents,e.g., computer readable instructions pertaining to the method(s)discussed above can be used to configure a hardware processor to performthe steps, functions and/or operations of the above disclosed method(s).In one example, instructions and data for the present module or process405 for automatically detecting fraud rings in mobile communicationsnetworks (e.g., a software program comprising computer-executableinstructions) can be loaded into memory 404 and executed by hardwareprocessor element 402 to implement the steps, functions or operations asdiscussed above in connection with the example method(s). Furthermore,when a hardware processor executes instructions to perform “operations,”this could include the hardware processor performing the operationsdirectly and/or facilitating, directing, or cooperating with anotherhardware device or component (e.g., a co-processor and the like) toperform the operations.

The processor executing the computer readable or software instructionsrelating to the above described method(s) can be perceived as aprogrammed processor or a specialized processor. As such, the presentmodule 405 for automatically detecting fraud rings in mobilecommunications networks (including associated data structures) of thepresent disclosure can be stored on a tangible or physical (broadlynon-transitory) computer-readable storage device or medium, e.g.,volatile memory, non-volatile memory, ROM memory, RAM memory, magneticor optical drive, device or diskette and the like. Furthermore, a“tangible” computer-readable storage device or medium comprises aphysical device, a hardware device, or a device that is discernible bythe touch. More specifically, the computer-readable storage device maycomprise any physical devices that provide the ability to storeinformation such as data and/or instructions to be accessed by aprocessor or a computing device such as a computer or an applicationserver.

While various embodiments have been described above, it should beunderstood that they have been presented by way of example only, and notlimitation. Thus, the breadth and scope of a preferred embodiment shouldnot be limited by any of the above-described example embodiments, butshould be defined only in accordance with the following claims and theirequivalents.

What is claimed is:
 1. A method comprising: obtaining, by a processingsystem that includes at least one processor, a first port-in number fora first mobile device from a first mobile communications serviceprovider, wherein the first port-in number is assumed to be involved infraudulent activity based on a usage metric for the first port-in numberfalling below a predefined threshold for a defined period of time priorto the first port-in number being ported into the first mobilecommunications service provider; constructing, by the processing system,a social graph of communications between the first port-in number and aplurality of other numbers associated with a plurality of othercommunications devices; identifying, by the processing system, a maximalsubgraph of the social graph, wherein the maximal subgraph connects thefirst port-in number and a subset of the plurality of other numbers thatincludes those of the plurality of other numbers for which the usagemetric is below the predefined threshold for the defined period of timeprior to the first port-in number being ported into the first mobilecommunications service provider; and identifying, by the processingsystem, based on the maximal subgraph, at least one of the subset of theplurality of other numbers to be associated with an elevated level ofrisk for a fraudulent activity.
 2. The method of claim 1, wherein theusage metric comprises a number of calls involving a correspondingnumber of the subset.
 3. The method of claim 1, wherein the usage metriccomprises an average duration of calls involving a corresponding numberof the subset.
 4. The method of claim 1, wherein the usage metriccomprises a number of text messages involving a corresponding number ofthe subset.
 5. The method of claim 1, wherein the usage metric comprisesa weighted sum of a plurality of usage metrics.
 6. The method of claim1, wherein the defined period of time is between thirty and ninety days.7. The method of claim 1, wherein the social graph comprises: aplurality of nodes, wherein each node of the plurality of nodesrepresents the first port-in number or one of the plurality of othernumbers; and a plurality of edges, wherein each edge of the plurality ofedges indicates an occurrence of a telecommunications transactionbetween a pair of nodes of the plurality of nodes that is connected bythe edge.
 8. The method of claim 7, wherein each edge is weightedaccording to a strength of a connection between the pair of nodes. 9.The method of claim 8, wherein the strength of the connection is ameasure of a number of telecommunications transactions.
 10. The methodof claim 7, wherein the subset of the plurality of nodes thatcorresponds to those of the plurality of other numbers for which theusage metric is below the predefined threshold for the defined period oftime is provided with a unique visual indicator.
 11. The method of claim7, wherein the constructing the social graph comprises: constructing, bythe processing system, a one-hop network, wherein the one-hop networkincludes a first subset of the plurality of nodes, and wherein nodes inthe first subset correspond to the first port-in number and to those ofthe plurality of other numbers that have directly exchanged atelecommunications transaction with the first port-in number over thedefined period of time; and expanding, by the processing system, theone-hop network by at least one additional hop by adding a second subsetof the plurality of nodes, wherein nodes in the second subset correspondto those of the plurality of other numbers that have directly exchangeda telecommunications transaction with numbers corresponding to the firstsubset over the defined period of time.
 12. The method of claim 11,wherein the at least one of the subset of the plurality of other numbersis deemed to be part of a potential fraud ring.
 13. The method of claim12, wherein the potential fraud ring comprises a portion of the maximalsubgraph.
 14. The method of claim 13, wherein the portion comprisesthose nodes of the maximal subgraph for which a weight of a connectededge at least meets a minimum threshold.
 15. The method of claim 12,further comprising: identifying, by the processing system, a leader ofthe potential fraud ring, based on the maximal subgraph.
 16. The methodof claim 15, wherein the leader corresponds to a node of the maximalsubgraph to which a maximum number of edges of the plurality of edges isconnected.
 17. The method of claim 1, further comprising: suspending, bythe processing system, a communications service to at least one of: thefirst port-in number or the subset of the plurality of other numbers.18. The method of claim 1, further comprising: notifying, by theprocessing system, a second mobile communications service provider of apresence of at least one number of: the first port-in number or thesubset of the plurality of other numbers, wherein the at least onenumber is a number that is served by the second mobile communicationsservice provider.
 19. A device comprising: a processing system thatincludes at least one processor; and a computer-readable medium storinginstructions which, when executed by the processing system, cause theprocessing system to perform operations, the operations comprising:obtaining a first port-in number for a first mobile device from a firstmobile communications service provider, wherein the first port-in numberis assumed to be involved in fraudulent activity based on a usage metricfor the first port-in number falling below a predefined threshold for adefined period of time prior to the first port-in number being portedinto the first mobile communications service provider; constructing asocial graph of communications between the first port-in number and aplurality of other numbers associated with a plurality of othercommunications devices; identifying a maximal subgraph of the socialgraph, wherein the maximal subgraph connects the first port-in numberand a subset of the plurality of other numbers that includes those ofthe plurality of other numbers for which the usage metric is below thepredefined threshold for the defined period of time prior to the firstport-in number being ported into the first mobile communications serviceprovider; and identifying based on the maximal subgraph, at least one ofthe subset of the plurality of other numbers to be associated with anelevated level of risk for a fraudulent activity.
 20. A non-transitorycomputer-readable medium storing instructions which, when executed by aprocessing system including at least one processor, cause the processingsystem to perform operations, the operations comprising: obtaining afirst port-in number for a first mobile device from a first mobilecommunications service provider, wherein the first port-in number isassumed to be involved in fraudulent activity based on a usage metricfor the first port-in number falling below a predefined threshold for adefined period of time prior to the first port-in number being portedinto the first mobile communications service provider; constructing asocial graph of communications between the first port-in number and aplurality of other numbers associated with a plurality of othercommunications devices; identifying a maximal subgraph of the socialgraph, wherein the maximal subgraph connects the first port-in numberand a subset of the plurality of other numbers that includes those ofthe plurality of other numbers for which the usage metric is below thepredefined threshold for the defined period of time prior to the firstport-in number being ported into the first mobile communications serviceprovider; and identifying based on the maximal subgraph, at least one ofthe subset of the plurality of other numbers to be associated with anelevated level of risk for a fraudulent activity.